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Anonymous Overview and Background 

How They Attack: Anatomy of an Anonymous Attack 

+ Recruiting and Communications 
+ Reconnaissance and Application Attack 
+ DDoS 
Mitigations 
+ What's hot - Mitigation Tools 
+ What's not - Non-Mitigations Tools 
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Speaker Bio - Tal Be'ery 



Web Security Research Team Leader at Imperva 
Holds MSc & BSc degree in CS/EE from TAU 
Decade of experience in the IS domain 
Facebook "white hat" 
Speaker at Industry Events 

■ RSA, blackhat, AusCERT 

CISSP 




"Hacktivism - 

a portmanteau of hack and activism ." 
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What/Who is Anonymous 



"...the first Internet- based superconsciousness." 

—Chris Landers. Baltimore City Paper, April 2, 2008 



"Anonymous is an umbrella for anyone to hack anything for 
any reason." 

-New York Times. 27 Feb 2012 





One thing is for sure - they are hackers! 



L 


85 (P' 






1 


f&Mi 


MM- ^^TC^^TW^— * 



@BVIPER\A 



The Plot 
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Literary Pyramid 



Climax 



Rising 
action 



TfrftffiilJPII 




Falling action 

Resolution 



Attack took place in 2011 over 
a 25 day period. 

Anonymous was on a deadline 
to breach and disrupt a 
website, a proactive attempt 
at hacktivism. 

The website was mostly 
informational but contained 
data and enabled some 
commerce. 

The attack was not successful. 
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Skilled hackers - 

- Small group , few individuals per campaign 

- have genuine hacking experience and are quite savvy. 
Nontechnical - 

- can be quite large, ranging from a few dozens to a few 
hundred volunteers. 

- Directed by the skilled hackers 

- Providing rhe needed "muscles" to conduct DDoS attacks. 
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On the Defense 




Deployment line was network firewall and IDS, web application 
firewall (WAF), web servers and anti-virus. 
Imperva WAF 

+ SecureSphere WAF version 8.5 inline, high availability 

+ ThreatRadar reputation services 
Unnamed network firewall and IDS 
Unnamed anti-virus 
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How They Attack: The Anonymous Attack 
Anaton 
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for more: http://www.imperva.com/docs/HII The Anatomy of an Anonymous Attack.pdf 
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Step IB: Social Media Helps 


Recruit 






tuiifcber 
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Example 
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Recon and Application Attack 

"Avoid strength, attack weakness: Striking where the enemy is 

most vulnerable." 

— Sun Tzu 
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Anonymous' Attacks Mimic For-Profit Hackers 


Hacker Forum Discussion Topics 


■ spam 
dos/ddos 

■ SQL Injection 

■ zero-day 

■ shell code 

■ brute-force 

■ HTML Injection 

@aVIPER\A 




^rifc> 9% 






Source: Imperva. Covers July 2010 -July 201 1 across 600,000 discussions 

17 ©2012 Imperva, Inc. All rights reserved. 




Tool #1: Vulnerability Scanners 

Purpose: Rapidly find application vulnerabilities. 

Cost: $0-$1000 per license. 

The specific tools: 
+ Acunetix (named a "Visionary" in a Gartner 2011 MQ) 
+ Nikto (open source) 



Aacunetix 
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Step 2B: Exploiting Vulnerabilities 


■ Tool #2: Havij 

■ Purpose: 

+ Automated SQL injection 
and data harvesting 
tool. 

■ Developed in Iran 
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GET ^H.php ? id=1 06147073' and as 
ma.tables Where table schema =0x2020 


;ii(substring(j:SELEC cistirct table_name FROM information_sche 
20 limit 0,1 },2,1))=56 and V="x HTTP/1.1 

E 7.0; Windows NT 5.1 ; SV1 ; .NET CLR 2.0.50727(Havf| 
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Accept: */* 

User-Agent: Mozilla/4.0 (compatible: MS 

Connection: Close 
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Hacker protect their identity 
By using 

+ TOR 

+ Other anonymity services 

- Anonymous proxies 

- Private VPN services 

- Hacked servers 

) How Tor Works: 





e: https://www.torproiect.org/about/overview.html.ei 
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Why hackers prefer using exploits over DDoS? 



Expoilts 



DDoS 



Damage 



Inflict damage to all Only data availability 
aspects of data 

security - 

availabilii 



n the site 



Exploits are the hackers first choice 
DDoS is just a last resort 



Long lasting 



Hundreds? 
thousands.. 

Only during the 
attack 
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Day 19 Day 20 



Day 21 
Date 



Day 22 Day 23 



■ Directory Traversal 

■ SQL injection 

■ DDoS recon 

■ xss 
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Lulzsec hack Analysis #1- PBS 



SQL injection 

Exploited by Havij 

Defacement 

Administrative Data 
leakage 
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Executable file upload 
PI I of 170K users leaked 
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Mitigation: AppSec 101 










Dork Yourself 




Blacklisting 


WAF 


WAF + VA 


Stop Automated 
Attacks 


Code Fixing 
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Hacking Tools 




■ Low-Orbit Ion Canon (LOIC) 

■ Purpose - DDoS 

■ Windows desktop application, coded in C# 

■ UDP/TCP/HTTP flooding 
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LOIC downloads 

+ 2011: 380K 

+ 2012 (through April 22): 380K 

+ Jan 2012 (megaupload takedown) =83% of 2011's downloads! 



AH-mta.tei 



ow* ***** f»M-gT t»«fea 




5iij*i-ni KHI ii .^3£i» »i}C4 P-tHSJi jnjftii WJJW xi^o«« j#i?h m ^, 



For more: http://blog.imperva.com/2012/05/loicversary.html 
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avascript/Mobile/VM/JS LOIC 



DaaS - DoS as a Service 

Easy to participate - no download 

+ just point your browser to the J S-Loic page 
Application layer attacks 

Effective 

+ Iterates up to 200 requests per second 
Cross platform * W| 
+ mobile device 
+ Linux/Mac/PC 
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www.target.com/search. php?q=a&id=61278641278&msg= 
we+are+legion! 

■ Fixed target URL 

+ Carefully selected to create load on target server 

■ A Parameter with some arbitrary changing value 

+ To avoid caches along the way 

■ A Parameter value "msg" with some hacktivist's slogan 

■ HTTP Referer header - indicates attack code source 
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Anonymous and LOIC in Action 









Mobile LOIC in 
Action 
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Day 19 Day 20 Day 21 Day 22 Day 23 Day 24 Day 25 Day 26 Day 27 Day 28 
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Decreasing costs 

+ Application layer attacks are far more efficient 

+ Less attackers to take down a site 

The DoS security gap 

+ Traditionally, the defense against DDoS was based 
on dedicated devices operating at lower layers 
(TCP/IP). 

- Don't decrypt SSL 

- Don't understand the HTTP protocol 

- Unaware of the web application. 



For more: http://blog.imperva.com/2011/12/top-cvber-security-trends-for-2012-7.html 



@BVIPER\A 



16 



6/1/2012 



DDoS Is Moving Up the Stack 
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WAF: It can decrypt SSL, understand 

HTTP and also understand the application 

business logic to analyze the traffic, sifting 

out the DoS traffic. 
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Knowing the language is the 
key to success! 
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Anti-Virus is Irrelevant: Malware is NOT the MO 




McAfee mea culpa 



"The security industry 
may need to reconsider 
some of its fundamental 
assumptions, including 
'Are we really protecting 
users and companies?'" 

--McAfee, September 2011 
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IPS and NGFWs do not prevent web application attacks. 

+ Don't confuse "application aware marketing" with Web Application 
Security. 

WAFs at a minimum must include the following to 
protect web applications: 



1 Web-App Profile 

1 Web-App Signatures 

1 Web-App Protocol Security 

• Web-App DDOS Security 

1 Web-App Cookie Protection 

1 Anonymous Proxy/TOR IP Security 

• HTTPS (SSL) visibility 



Security Policy Correlation 
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I have IPS and NGFW, am I safe? 


■ IPS and NGFWs do not prevent web application attacks. 

+ Don't confuse "application aware marketing" with Web Application 
Security. 

■ However, IPS and NGFWs at best onlv partially support 
the items in Red: 




• Web App Profile 

• 

• Web App Protocol Security 




* Web App DDOS Security 


— ^ppuritv Pnlipv Onrrplfitinn 




• Anonymous Proxy/TOR IP Security 

• 
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Automated Scanning Tools 
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Automated SQL Tool 
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Testing for MyS^L error based injection, method 

jlyS'QL error based injection method oant bt used! 

MsSQLtimg bused injection method can't bo used 

MySQL time b«ed injection method c^n't be used 

[t ■ittfrti that input parameter i* not -effective' Chert: the fallowing: 
Ane you sure input parameter really eaist ?l 
Ant you sure the input value 'anything' is valid? 
An» you sure the "GET 1 method is correct? 




Havij SQL attack 
attempt fails with 
errors due to WAF 
mitigation. 
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Questions 
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